Government, carmakers more worried than ever about vehicle cyber attacks

The NHTSA is expected to soon release cybersecurity guidelines to the auto industry

Automakers and legislators appear to be coming together on the need for greater cybersecurity for vehicles that are increasingly connected to the internet and controlled by ever-more sophisticated computer systems and software.

Volkswagen today announced it will form a cybersecurity company headed by Yuval Diskin, the former head of Israel’s security agency. The company, CyMotive Technologies, will be 40% owned by the German automaker and the rest will be controlled by Diskin and two other former leaders in Israel’s Shin Bet intelligence agency.

“The car and the Internet are becoming increasingly integrated. To enable us to tackle the enormous challenges of the next decade, we need to expand our know-how in cyber security in order to systematically advance vehicle cyber security for our customers,” Volkmar Tanneberger, Volkswagen’s head of electrical and electronic development, said in a statement. “CyMotive Technologies provides an excellent platform for doing this. It is a long-term investment in cyber security to make vehicles and their ecosystem more secure.”
Last year, Fiat Chrysler Automobiles (FCA), the world’s seventh largest automaker, issued a recall for for 1.4 million vehicles to fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions.

Last month, the same hackers who proved FCA’s Jeep Cherokee could be hacked wirelessly demonstrated at the Black Hat conference in Las Vegas that the vehicle’s Controller Area Network (CAN) could also be hacked by physically connecting to the vehicle’s OBD-II diagnostics port.

In just nine hours, the hackers proved through a brute-force attack they were able to gain access to and control electronic systems, such as the speedometer, as well as to take control of the vehicle’s steering and brakes using diagnostic messages.

Since 1996, all vehicles have come with OBD-II ports. A vehicle’s CAN is the network that connects the dozens of electronic control units (tiny computers) in a modern vehicle.

A modern car has dozens of computers with as much as 100 million lines of code — and for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers.

Prior to last year’s Jeep Cherokee hack, which was performed by two independent security experts, the auto industry didn’t see an immediate threat, according to Egil Juliussen, director of research at IHS Automotive.

The infotainment system in a Jeep Cherokee. Chrysler, Dodge, Jeep and Ram issued a recall last year to address a hacking incident with a Jeep, which affected 1.4 million vehicles.

Last year they all got kicked in the butt,” Juliussen said in an earlier interview with Computerworld. “When that happened, then they had a data point around how much it could cost to fix these things — 1.4 million cars that may cost $100, so all of a sudden you’re looking at $140 million to fix that. So that changed how they looked at it.”

The Jeep Cherokee was just one of five vehicles identified as “the most” hackable, by PT&C|LWG Forensic Consulting Services, which released their report on cybersecurity last year.

Along with the Jeep Cherokee, the report identified the 2014 Infiniti Q50, the 2015 Cadillac Escalade, the 2010 and 2014 Toyota Prius and the 2014 Ford Fusion as the most hackable.

Cars with the highest risk of cyber vulnerability, according to the report, tended to have the most features networked together, especially where radio or Wi-Fi networks are connected to physical components of vehicles.

By 2020, the number of Internet-connected vehicles will reach 150 million, according to Gartner, and 60% to 75% of them will be capable of consuming, creating and sharing Web-based data.

And, by 2035, there will be 21 million autonomous vehicles on roadways, according to research firm IHS Automotive.

This week, four Congressional members called for the National Highway Traffic Safety Administration (NHTSA) to lead an industry-wide effort to head off a cybersecurity threat to the increasingly sophisticated and wirelessly connected computer systems in vehicles.

The Republican members of the House Energy and Commerce Committee pointed to potentially electronic attacks on the internal networks of automobiles through the use of OBD-II ports and the devices that connect to them.

“Researchers have been able to leverage either a direct connection to the OBD-II port, or devices that connect to the port, to cause a range of effects, from nuisances like digitally engaging the windshield wipers or car horn, to more consequential exploits such as remotely unlocking a vehicle’s doors or cutting a vehicle’s brakes or power steering,” the letter stated.

In July, Transportation Secretary Anthony Foxx said the NHTSA will soon release cybersecurity guidelines to the auto industry.
This week wasn’t the first tine lawmakers called on the NHTSA to address vehicle cybersecurity issues. Last year, the House Energy and Commerce Committee sent a letter to the NHTSA calling on it to “track or evaluate” potential cyber vulnerabilities in wirelessly connected vehicles. The committee also sent a similar letter to all of the major automakers in the U.S.

Lawmakers pointed to every increasing numbers of vehicles with Wi-Fi, infotainment systems, over-the-air software upgrades, smartphone interfaces and self-driving features as adding to the number of possible hacker entry points.

“We are entering a new era in cybersecurity,” the letter from Committee Chair, Rep. Fred Upton (R-Mich), stated. “The explosion of new, connected devices and services is exacerbating existing cybersecurity challenges. This will be a significant challenge for the automobile industry.”

The NHTSA has said vehicle cybersecurity will require a “layered research approach,” which will include legislation, and the auto industry must take “independent steps to help improve the cybersecurity posture.”

This year, at the request of the NHTSA the auto industry formed an Information Sharing and Analysis Center (ISAC) to help the industry proactively and uniformly address cybersecurity threats.

Sam Abuelsamid, an analyst with Navigant Research, recently co-authored a report on automotive cybersecurity and he said a flurry of companies have sprung up in Israel, including Argus Cyber Security and TowerSec. But not every company is taking the same approach to securing vehicles.

For example, Argus offers an intrusion detection and prevention module that ties into a vehicle’s controller area network (CAN), which connects the various electronic control units (ECUs) or computers in a car. TowerSec offers software that is embedded in existing ECUs. Karamba’s software is made to be integrated as part of a vehicle’s original factory setting and is aimed at creating firewalls between ECUs controlling infotainment, telematics and OBD (on-board diagnostics).

“Every new vehicle today…has at least some degree of automation capability,” said “Essentially, every vehicle on the road is going to need some aspect of cyber security built into it.”